b"INFORMATION SECURITY PROGRAM\n      Department of Transportation\n\n       Report Number: FI-2003-086\n     Date Issued: September 25, 2003\n\x0c           U.S. Department of\n                                                                Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Information Security Program,                                         Date:    September 25, 2003\n           Department of Transportation\n           FI-2003-086\n\n  From:    Alexis M. Stefani                                                          Reply to\n                                                                                      Attn. of:   JA-20\n           Principal Assistant Inspector General\n            for Auditing and Evaluation\n\n    To:    Chief Information Officer\n\n           This report presents the results of our audit of the information security program at\n           the Department of Transportation (DOT). Responding to requirements of the\n           Federal Information Security Management Act (FISMA), our objective was to\n           evaluate DOT's information security programs and practices. We focused our\n           evaluation on management controls, network and Electronic-government\n           (E-government) security, systems security, protecting national-critical systems,\n           personnel security, and system contingency planning. We also provided input\n           (Exhibit A) to DOT's annual FISMA report by answering questions specified by\n           the Office of Management and Budget (OMB). Our scope and methodology are\n           described in Exhibit B.\n\n\n           INTRODUCTION\n           FISMA requires Federal agencies to ensure that computer systems and data are\n           adequately protected from losses due to attacks. Protecting computer systems and\n           data presents a challenge to all Federal agencies. Because DOT maintains one of\n           the largest portfolios of information technology (IT) investments in the Federal\n           government, it is critical that DOT protects its systems and sensitive data. In fiscal\n           year (FY) 2003, DOT's information technology budget totaled about $2.7 billion.1\n\n           DOT has 12 major organizations (Exhibit C) with about 630 computer systems.\n           DOT systems include safety-sensitive air traffic control systems and surface\n           1\n               Excludes budget for U.S. Coast Guard and the Transportation Security Administration which transferred to the\n               Department of Homeland Security in March 2003.\n\x0c                                                                                   2\n\n\ntransportation systems, as well as financial systems that disburse over $50 billion\nin Federal funds each year. DOT also maintains air traffic control systems that are\nessential to the Nation's defense, economic security, or public confidence. These\n\xe2\x80\x9cnational-critical\xe2\x80\x9d systems need to be secured on a priority basis.\n\nDuring FY 2003, DOT also continued to expand its E-government services,\ndoubling the number of public web sites to more than 400. DOT uses these web\nsites, which contain millions of web pages, to conduct business, such as accepting\nhazardous material shipment registrations and payments; and to disseminate\ninformation, such as temporary flight restrictions or motor carrier safety records.\n\n\nRESULTS IN BRIEF\nFor the last 2 years, DOT reported its information security program as a material\ninternal control weakness under the Federal Managers' Financial Integrity Act\n(FMFIA). This year, DOT made significant progress toward meeting its\ncommitment to improve information security.\n\nThe most noteworthy improvement DOT has made since we began the annual\ninformation security review in FY 2001 is in protecting its computer systems from\nattack by outsiders. For example, DOT enhanced its defense against intrusions\nfrom the Internet in FY 2002, and further reduced its vulnerability to attack this\nyear by establishing a Departmentwide security incident response center. This\ncenter, with the cooperation of FAA's incident response center, detects, analyzes,\nand prevents hundreds of potential intrusions from the Internet on a daily basis.\nAlso, this year, DOT appointed a Chief Information Officer (CIO), increased the\nCIO's resources and influence, and developed a more reliable inventory of\nsystems; all of which further strengthened DOT's information security protection.\nIn addition, air traffic control systems and facilities stayed operational during the\nrecent blackout as a result of quickly switching to their emergency backup\nsystems.\n\nHowever, DOT still has a long way to go in securing its computer systems from\nattack by insiders: employees, contractors, grantees, and industry associations.\nAccording to the Federal Bureau of Investigation, insiders remain a major threat\xe2\x80\x94\nabout 50 percent of unauthorized activities against all computers were done by\ninsiders during 2003. DOT is not exempted from such a threat. A critical control\nto mitigate such threats is to perform security certification reviews on individual\nsystems. However, only 33 percent of DOT's systems will have completed such\nreviews by September 2003. We also found that DOT needs to continue enforcing\nbackground checks on contractor employees performing sensitive system work,\n\x0c                                                                                3\n\n\nand to enhance its contingency planning to ensure business continuity in case key\ncomputer system operations are disrupted for a prolonged period of time.\n\nIn view of the security weaknesses that still need to be corrected, DOT's\ninformation security program remains a material weakness and requires continued\nsenior management attention. In FY 2004, it will be critical for the departmental\nCIO, with support from the Operating Administrators and their respective CIOs, to\ncontinue exercising leadership and providing the direction and oversight to ensure\nthat the Operating Administrations develop adequate plans to correct the\nremaining weaknesses and execute those plans effectively. DOT's progress\ncorrecting the remaining weaknesses will help clarify whether the CIO has\nadequate authority, resources, and processes to ensure effective IT security and\ninvestment management controls.\n\nAs a result of this year's assessment, we are making a series of recommendations\non pages 14 and 15 of this report to help the Department correct the material\nweakness. By implementing these recommendations, DOT should not only\nincrease its defense against insider attacks but also enhance the oversight of its\nmulti-billion dollar annual IT investments. The DOT CIO agreed with our\nfindings and recommendations.\n\n\nFINDINGS AND RECOMMENDATIONS\n\nManagement Controls\nThe Clinger-Cohen Act requires that DOT appoint a CIO responsible to ensure the\nDepartment acquires and operates cost effective IT systems, and protects the\nsystems and data from attack. In FY 2002, we reported that DOT had not had a\nCIO since January 2001 and that the CIO lacked the authority to require the\nOperating Administrations to implement DOT security guidance.              We\nrecommended that DOT appoint a CIO and establish the CIO's authority to\napprove Operating Administration IT budgets and to provide input to Operating\nAdministrations' CIO performance appraisals.\n\nDuring FY 2003, DOT made progress by appointing a Departmentwide CIO and\nobtaining significant budget increases for the Office of the CIO. Although DOT\ndid not give the CIO the authority to approve Operating Administration IT budgets\nor to provide input into Operating Administrations' CIO performance appraisals as\nwe recommended, it did increase the CIO's influence over IT decisions by forming\na departmental Investment Review Board (the Board). The Board, chaired by the\nDeputy Secretary, with the CIO, the Chief Financial Officer, the General Counsel,\nand the Assistant Secretary for Administration as official members designated by\n\x0c                                                                                                            4\n\n\nthe Secretary, has the authority to approve, modify, or terminate major IT\ninvestments.2\n\nCreation of the Board, appointment of a CIO, and enhancement of the CIO's\ninfluence should improve DOT's oversight of IT investments and security;\nhowever, it is too early to judge the effectiveness for two reasons. First,\nhistorically, the Operating Administrations have functioned independently on IT\nmatters with little departmental direction. Second, the Review Board only began\nreviewing IT investments in June for this year.         DOT's ability to improve\ncomputer security is closely tied to the effectiveness of the IT review process\nbecause security needs of IT projects and programs must be considered in making\ninvestment decisions. Much of the value added by the CIO will come through his\ninvolvement in investment decisions. Under the Clinger-Cohen Act, the CIO is\nresponsible for promoting effective processes to acquire and operate information\nsystems, and to ensure that systems are adequately protected from threats.\n\nDuring FY 2004, at the request of the Senate Appropriations Committee, we plan\nto evaluate the effectiveness of the CIO's efforts to coordinate with the Operating\nAdministrations in improving IT security and investment controls. This year, we\nidentified the following opportunities to improve DOT's IT investment review\nprocess, which should result in better secured and more cost-effective IT\ninvestment.\n\n\xc3\x98 Criteria are needed to help the Board select IT investments for review. This\n  year, the Board focused on reviewing \xe2\x80\x9ccross-cutting\xe2\x80\x9d IT projects concerning\n  more than one Operating Administration. For example, the Board reviewed\n  the progress of implementing a new departmental accounting system, the status\n  of converting the departmental payroll system, and a proposal to consolidate\n  the IT infrastructure in DOT Headquarters. However, the Board reviewed only\n  one Operating Administration-specific investment after we had identified\n  significant cost and schedule problems in the project.\n\n      The Board needs to play a more proactive role in identifying high-risk\n      Operating Administration IT investments for review, considering that over 90\n      percent of DOT's IT budget is appropriated directly to the Operating\n      Administrations. There is also a significant need for increased management\n      oversight of these investments. We have issued several reports on major\n      acquisitions involving extensive software development work that require senior\n\n\n\n2\n    Designation of official Board members was specified in the DOT Information Technology Capital Planning and\n    Investment Control Manual, June 21, 2002.\n\x0c                                                                                                       5\n\n\n      management level attention.3 For example, FAA's Wide Area Augmentation\n      System (WAAS), Standard Terminal Automation Replacement System\n      (STARS), and Local Area Augmentation System (LAAS) have all experienced\n      significant cost overruns (from 31 percent to 227 percent) and schedule delays\n      (from 4 years to 7 years). Congress has also expressed concerns over \xe2\x80\x9cthe\n      potential for dramatic cost escalation\xe2\x80\x9d in FAA's multi-billion-dollar new En\n      Route Automation Modernization (ERAM) project.\n\n      The Board needs to issue more specific criteria for identifying IT projects for\n      its review, and direct the Operating Administrations to brief the Board on IT\n      projects that meet the specified criteria.\n\n\xc3\x98 We found that more substantive, in-depth reviews of Operating Administration\n  IT budget requests are needed. This year, the Operating Administrations\n  submitted 60 business cases to the CIO Office for review and the Board's\n  approval for budget submission. However, the Board did not start reviewing\n  any IT investment until June this year and the Operating Administrations did\n  not submit budget proposals until August. Due to the short timeframe, the\n  reviews were limited to ensuring that required data were included in the\n  submission, rather than verifying that the data were reliable and reasonable. In\n  our opinion, more substantive, in-depth review of Operating Administration\n  budget proposals is needed to prevent the reviews from being superficial and\n  cursory.\n\n      The CIO Office plans to start the budget review process earlier next year. This\n      early start, in conjunction with more experience in reviewing IT investment\n      projects, should enable the Board to provide more insightful oversight of next\n      year's budget requests.\n\n\xc3\x98 Establishing the Board with departmental membership represents a significant\n  step forward. However, communications between the departmental Board and\n  the Operating Administrations can be improved. This year, there was\n  inadequate representation from the Operating Administrations when the Board\n  met to discuss \xe2\x80\x9ccross cutting\xe2\x80\x9d IT investments or investments concerning a\n  particular Operating Administration. For example, when the Board met to\n  discuss annual IT budget requests, FAA was not represented to answer\n  questions even though it was responsible for the largest budget component.\n  Conversely, the departmental CIO Office was not represented when FAA met\n  to make major IT investment decisions.\n\n\n3\n    Status of FAA's Major Acquisitions, Report Number: AV-2003-045, June 26, 2003; and DOT Top Management\n    Challenges, Report Number: PT-2003-012, January 17, 2003.\n\x0c                                                                                                                   6\n\n\n\n\nNetwork and E-government Security\nDOT has thousands of computers on its internal networks. These systems contain\nsensitive information. DOT employees, contractors, grantees, and industry\nassociations access these computers through either the Internet (front doors) or\nother network connections (back doors). In addition, DOT uses over 400 public\nweb sites to provide E-government services to the public.\n\nIn FY 2002, we reported that DOT had enhanced security over the Internet (front\ndoor) connection points to DOT's internal networks4, but we found hundreds of\nunsecured telephone line (back door) connections. We also found that web sites\noperated by DOT were vulnerable to attack, and there was no security assurance\nfor web sites operated by contractors. Further, DOT's process to report computer\nsecurity incidents was not effective\xe2\x80\x94some major attacks were not reported to the\ncentral authority in FY 2002.\n\nDuring FY 2003, DOT made good progress securing \xe2\x80\x9cback door\xe2\x80\x9d network\nconnections, reducing DOT's vulnerabilities to attack, and enhancing its security\nincident response capabilities. For example, the newly established departmental\nincident response center, with the cooperation of FAA's incident response center,\ndetects, analyzes, and prevents hundreds of potential incidents from the Internet\neach day. We identified the following progress and remaining problems.\n\n\xc3\x98 We still found unsecured telephone line connections this year.                  These\n      unsecured connections, which were located at one FAA facility, FAA\n      Headquarters, and DOT Headquarters, allowed individuals located outside of\n      DOT premises to make a direct connection to DOT network without password\n      authentication or callback security to validate the calling source, as required by\n      DOT policy. DOT took action by terminating or establishing security\n      mechanisms on 197 dial-up connections. It is currently reviewing the\n      remaining 71 connections. (See Table 1 on page 7.)\n\n\n\n\n4\n    While the E-government web sites are connected to the Internet for public access, other DOT systems, which contain\n    sensitive information, are connected to internal networks only. Entry points to internal networks are protected by\n    security mechanisms, such as firewall security, to allow only authorized personnel to access the data.\n\x0c                                                                                         7\n\n\n\n                                         Table 1\n                 DOT Corrective Actions on Unsecured Dial-up Connections\n\n                             Number of                   Corrective Actions\n                              Unsecured        Number of Dial-up          Number of\n             -------------     Dial-up      Connections Terminated          Dial-up\n                             Connections    or Security Requirement      Connections\n                              Identified          Established           Being Reviewed\n          FAA Facilities         237*                170                    67\n         FAA Headquarters         24                  24                     0\n         DOT Headquarters          7                   3                     4\n              Total              268                 197                    71\n       * 124 dial-up connections at one FAA facility were initially identified during\n         FY 2002, and re-confirmed in FY 2003.\n\n\n   To prevent the problem from recurring, DOT plans to improve the process of\n   authorizing network connections, conduct quarterly compliance reviews, and\n   install additional monitoring devices on DOT networks, if funding permits.\n\n\xc3\x98 This year, DOT began evaluating security of contractor-operated web sites.\n  Also, DOT-operated web sites are being regularly scanned to detect and\n  eliminate vulnerabilities. For example, the number of vulnerabilities was\n  reduced from 1,200 to 725 between June and July of this year. The enhanced\n  security successfully protected DOT web servers from recent cyber worm\n  attacks on the Internet.\n\n   However, this scanning effort was not enforced on the Operating\n   Administrations' internal networks. We found incidents where software\n   patches were not properly installed on FAA systems and transit financial\n   systems. The CIO Office needs to ensure that Operating Administrations\n   periodically scan their internal networks and timely install software patches.\n\n\xc3\x98 DOT enhanced its security incident reporting capability by issuing new\n  guidance and establishing a Departmentwide incident response center to\n  coordinate security reporting. However, DOT still did not report all major\n  security incidents to the central authority\xe2\x80\x94only 17 of 39 major incidents\n  associated with viruses, denial-of-service attacks, or web defacements were\n  reported to the central authority this year.\n\n   This occurred because DOT has not defined which incidents should be\n   reported to the central authority. Failing to report these serious incidents could\n   impair the central authority's effort to identify and respond to malicious cyber\n   attacks against Federal government information resources in a timely manner.\n\x0c                                                                                                              8\n\n\n      The central authority has published clear guidance describing what types of\n      incidents to report.5 DOT is revising its guidance to incorporate the central\n      authority's reporting requirements. This action should result in improvement\n      next year.\n\nSystems Security\nMore than 60,000 insiders\xe2\x80\x94employees, contractors, grantees, and industry\nassociations\xe2\x80\x94have access to DOT computer systems. According to the Federal\nBureau of Investigation, insiders remain a major threat\xe2\x80\x94about 50 percent of\nunauthorized activities against all computers were done by insiders during 2003.\n\nIn FY 2002, we reported that DOT systems were vulnerable to abuses or attack\nbecause most had not undergone the system security certification review. This\nreview, which is performed by system owners in conjunction with the CIO Office,\nis a critical and effective security measure to reduce the insider threat. The review\nwill determine whether individual systems are adequately secured commensurate\nwith operational risks. We also found that DOT needed to develop a more reliable\nsystems inventory and security cost estimates.\n\nDuring FY 2003, DOT made progress by establishing a more reliable system\ninventory. However, DOT still has a long way to go in securing its computer\nsystems from attack by insiders. In June 2003, OMB established a goal for\nagencies to increase system certification reviews from 47 percent\n(Governmentwide average as of September 2002) to 80 percent of their systems\nthis year.6 In response, the CIO revised DOT's goal and focused significant\nattention and resources on completing certification reviews. However, even with\nadditional attention, only 33 percent of DOT's systems will have completed\ncertification reviews by September 2003. With a 33-percent completion rate,\nDOT is trailing behind the Administration's goal. We identified the following\nprogress and problems:\n\n\xc3\x98 DOT conducted over 150 certification reviews this year. As a result, the\n  number of DOT systems certified as adequately secured will have increased\n  from 12 percent to 33 percent for all systems, and from 21 percent to 68\n  percent for mission-critical systems by the end of September 2003. In June\n  2003, DOT established a new performance goal to have 90 percent of total\n  systems certified by July 2004. However, Operating Administration plans\n  need to be adjusted to support this new goal, especially FAA which will have\n\n5\n    Federal Computer Incident Response Center Reporting Requirements published at www.fedcirc.gov web site.\n\n6\n    According to OMB, 47% of Government-wide computer systems were reported as having undergone the security\n    certification review as of September 2002. (FY 2002 Report to Congress on Federal Government Information\n    Security Reform, dated March 16, 2003)\n\x0c                                                                                9\n\n\n   to review and certify more than 80 percent of its systems in the next 9 months.\n   The CIO Office is working with the Operating Administrations to implement\n   the new goal, including target completion dates throughout the year. This\n   represents a significant improvement from previous Operating Administration\n   plans, which called for all systems to be certified by September 2006.\n   However, this new commitment will be a challenge to DOT and will require\n   significant resource commitments to complete reviewing two-thirds of the total\n   systems in the next 9 months. (See Table 2 below.)\n                                     Table 2\n                       System Security Certification Reviews\n                Operating        Total      Certified by   Systems to be\n              Administration    Systems     September       Certified by\n                                               2003          July 2004\n                  FAA             421            70             351\n                 FHWA              25            14              11\n                  FRA              22             6              16\n                 FMCSA             19             6              13\n                  RSPA             25             4              21\n                  BTS               7             3               4\n                 MARAD             12             7               5\n                  FTA               7             7               0\n                  OST              46            46               0\n                 NHTSA             42            42               0\n                 SLSDC              1             1               0\n                  STB               3             3               0\n                  Total           630           209             421\n                                  ===          ===              ===\n                Percentage       100%          33%             67%\n\n\xc3\x98 DOT needs to ensure that systems are tested during certification reviews. One\n  of the key steps in performing a security review is the security testing and\n  evaluation process, which determines the system's compliance with specified\n  security requirements. However, we found little documentation supporting\n  that system security controls had been tested and evaluated.\n\n   Specifically, we found that five out of eight systems we reviewed this year did\n   not have adequate evidence to support the results of security testing. Security\n   testing is required for both system security certification reviews and self\n   assessments. Among these five systems, three have been certified as\n   adequately secured and the other two have completed a self assessment, a\n   building block for certification reviews. Our independent review of these\n   systems found instances where controls were not functioning as intended.\n   Further, we found one Federal Transit Administration system, which is used to\n   manage billions of dollars in grant payments, was accredited for operations\n   without having conducted any security testing or evaluation. Without testing\n   or documenting the effectiveness of security controls, management cannot\n\x0c                                                                                  10\n\n\n   have reasonable assurance that risks are properly mitigated or that identified\n   security problems are corrected. The lack of testing may explain why we\n   found significant control weaknesses in the systems that had undergone\n   security certification reviews.\n\n   Another important step in performing a security certification and accreditation\n   review is for the authorizing official to accept (accredit) the system for\n   operations. Obtaining system accreditation from the correct authorizing\n   official is critical because that official has to accept the risks of system\n   operations. We selected 27 systems for review and found that 4 systems in 3\n   Operating Administrations (the Office of the Secretary, the Bureau of\n   Transportation Statistics, and the Maritime Administration) were not\n   accredited by authorized officials. DOT needs to perform quality assurance\n   reviews on the Operating Administrations' system testing and accreditation.\n\n\xc3\x98 System owners still cannot support their security cost estimates and do not\n  track security spending. During FY 2003, DOT provided training and tools to\n  assist system owners to identify costs associated with implementing security.\n  We examined security cost estimates for five major IT investments in three\n  Operating Administrations (FAA, the Bureau of Transportation Statistics, and\n  the Maritime Administration), totaling $6.6 million. Again, we found that\n  system owners did not use the DOT guidance and could not support the\n  security cost estimates reported to OMB. Also, they could not provide data for\n  actual security spending. As a result, there is little assurance that costs planned\n  for securing computer systems are reliable or spent as intended.\n\n   In addition, we continue finding inconsistent security cost estimate reporting to\n   OMB. The Operating Administrations are required to report their security cost\n   estimates for both budget review (Exhibit 53) and IT investment project review\n   (Exhibit 300). These submissions were reviewed by the CIO Office.\n   However, we found that security cost estimates differed by approximately $11\n   million between two submissions. DOT needs to implement comprehensive\n   processes and procedures for security cost preparation and execution.\n\n\nProtecting National-critical Assets\nAbout 100 computer systems and facilities supporting FAA air traffic control\noperations are considered national-critical assets because they are essential to the\nNation's defense, economic security, or public confidence. These systems are not\naccessible to the public because they operate on dedicated networks with no direct\nconnections to the Internet, and they are housed within secured compounds.\nHowever, if not adequately secured individually, these systems are vulnerable to\nabuse and attack by insiders\xe2\x80\x94employees, contractors, and industry associations.\n\x0c                                                                                11\n\n\n\nIn FY 2002, we reported that FAA needed to accelerate security certification\nreviews of these critical computer systems and facilities, and enhance en route\ncenter contingency plans. During FY 2003, FAA continued strengthening its\n\xe2\x80\x9cboundary protection\xe2\x80\x9d at network entry points. It also assisted the DOT CIO\nOffice by recommending scanning tools and researching various smart card\ntechnologies for Departmentwide use.          However, FAA made only limited\nprogress accelerating security certification reviews for these critical systems and\nfacilities, and enhancing en route center contingency plans. We plan to issue a\nseparate report detailing the findings and recommendations to the FAA\nAdministrator and the departmental CIO.\n\n\xc3\x98 During FY 2003, FAA increased system certification reviews from 36 to 56 for\n  these critical systems. However, these certification reviews were not adequate\n  to ensure that all significant security vulnerabilities were identified and\n  resolved. These systems are developed in FAA's computer laboratory and\n  deployed to multiple operational sites. FAA's certification reviews focused on\n  evaluating security in the development systems at the computer laboratory, but\n  did not include any operational systems in the field. We found that system\n  security vulnerabilities existed at the operational sites. FAA needs to expand\n  security certification reviews to cover operational systems, because\n  configurations and security controls differ at each operational site.\n\n\xc3\x98 FAA also has not enhanced en route center contingency plans to meet the\n  increased need for emergency preparedness. FAA relies on 20 en route centers\n  to direct high altitude traffic, which also provide flight information to other\n  facilities. En route centers are well equipped to deal with short-term\n  emergencies to ensure the public safety. For example, all of the en route\n  centers stayed intact and continued operations during the electricity blackout in\n  September 2003. We plan to issue a separate report on FAA's readiness to deal\n  with other emergencies, such as prolonged service disruptions at a facility or\n  loss of the entire facility.\n\n\nPersonnel Security\nEnsuring the integrity and reliability of the people authorized to access DOT\nsystems is important. Training employees and conducting background checks\nhelp reduce personnel security risks. In FY 2002, we reported that DOT provided\nadequate security awareness training to all employees, but did not provide\nadequate specialized training to employees with significant security\nresponsibilities because it had not completed identifying these individuals. We\nalso reported that 24 percent of the contractor employees we sampled did not\n\x0c                                                                               12\n\n\nreceive background checks and the Operating Administrations did not consistently\ninclude background check requirements in contracts.\n\nThis year, DOT did a commendable job in improving security training. FY 2003\nwas the second year that DOT provided Departmentwide security awareness\ntraining, including special sessions for senior officials, system owners, and\nsecurity administrators. DOT also provided specialized training to more than 600\nindividuals with information security responsibilities. In addition, DOT issued\nspecific guidance for including background check requirements in all system-\nrelated contracts. However, as we reported in FY 2002, the lack of background\nchecks on individuals performing sensitive computer work remains a persistent\nproblem in DOT.\n\n\xc3\x98 DOT did not conduct background checks on 9 of the 20 contractor employees\n  hired by the CIO Office to perform security certification reviews on DOT\n  systems. This happened because of inadequate background check requests and\n  the practice of waiving checks on temporary personnel. According to DOT\n  policy, individuals should receive background checks in accordance with their\n  job sensitivity. For example, employees and contractors performing sensitive\n  system work are required to receive a high level background check\n  (Background Investigation). However, the CIO office only requested low level\n  background checks (fingerprint check) for its contractor employees because the\n  work only lasted for 6 months.\n\n   Unfortunately, the DOT security office did not even perform fingerprint checks\n   on 9 of the 20 contractor employees because they were mistaken as temporarily\n   engaged to perform low risk duties such as janitorial services. As a result,\n   those individuals were given inappropriate access to sensitive information such\n   as system vulnerability assessments and threat analyses without any\n   background checks. After we identified this deficiency, DOT management\n   immediately began fingerprinting these individuals and stopped the practice of\n   waiving fingerprint checks on temporary personnel.\n\n   We found similar incidents in the Operating Administrations. For example, 19\n   DOT and contractor employees performing sensitive work, such as maintaining\n   network security, on the departmental accounting system and the transit grant\n   management system did not receive adequate background checks.\n\n   While background checks do not guarantee a person's loyalty or\n   trustworthiness, they provide valuable information to help management\n   determine whether an employee should be given access to DOT systems. This\n   is especially critical to DOT because DOT relies on about 18,000 contractor\n   employees to develop new systems, operate existing systems, and perform\n\x0c                                                                                13\n\n\n   sensitive work such as managing network security, assessing computer\n   vulnerabilities, or analyzing potential threats.\n\n   As we reported in FY 2002, FAA has made significant progress in enhancing\n   background checks on its contractors in recent years. However, in spite of\n   multiple audit reports and DOT guidance issued on this subject, the lack of\n   background checks on contractor employees remains a persistent problem in\n   other Operating Administrations. The lack of progress may be due to the fact\n   that responsibilities for background checks are divided among multiple\n   organizations. The CIO, the Office of Security, and individual contracting\n   officers all have a role. The CIO, the Senior Procurement Executive, and the\n   Director of Office of Security and Administrative Management need to work\n   together to develop and enforce a specific plan to fix this problem next year.\n\n\nSystem Contingency Planning\nContingency plans allow operations to continue in the event of service disruptions.\nIn response to the increased need for preparedness, DOT has established\nemergency communications capabilities to allow senior managers to\ncommunicate, if DOT Headquarters became nonfunctional. However, DOT has\nnot focused on ensuring business continuity in case key computer system\noperations are disrupted. This may hinder DOT's readiness to participate in the\nAdministration's Forward Challenge exercise in 2004, which will test agencies'\nreadiness for major IT outages. Specifically,\n\n\xc3\x98 DOT requires contingency plans to allow every mission-critical information\n  system to rapidly and effectively deal with potential disruptions of business\n  functions. In spite of today's increased need for emergency preparedness, only\n  26 percent of DOT systems have established contingency plans.\n\n   In addition, existing system contingency plans are often inadequate. For\n   example, we selected 10 system contingency plans for review and found that\n   the business impact analysis\xe2\x80\x94the fundamental first step in planning for\n   contingencies\xe2\x80\x94was not performed for 4 systems. Without this analysis,\n   management does not know how long it could continue business operations\n   without computer systems support, which is critical to effective contingency\n   planning. Also, two systems lacked off-site recovery capabilities. These\n   systems support critical missions of tracking hazardous materials shipment and\n   processing key accounting functions. In addition, management did not install\n   proper equipment or perform tests at the recovery sites for three mission\n   critical systems, which are used to management billions of dollars of grant\n   payments and to compile essential transportation statistics. DOT management\n   took immediate actions to correct the weaknesses by establishing off-site\n\x0c                                                                                  14\n\n\n   recovery capabilities for the two systems and agreeing to conduct testing for\n   the other three systems.\n\n\xc3\x98 DOT needs to develop guidance on minimum geographic distance for recovery\n  processing sites. When selecting an off-site facility for system recovery\n  processing, the alternate location should be at a reasonable distance away from\n  the primary site to reduce the probability of losing both sites to the same\n  disaster. We found that most DOT system owners use existing facilities\n  operated by DOT or contractors as their recovery sites. While this may be\n  cost-effective, it does not provide adequate risk mitigation because some\n  recovery sites are too close to the primary sites.\n\n   For example, we found that geographic distances between the two sites are 10\n   miles for highway systems, 15 miles for transportation statistic systems, and 25\n   miles for transit systems. DOT relies on the highway and transit systems to\n   manage more than $30 billion of annual grant payments. With such close\n   proximity, a single catastrophic event could take both processing sites out of\n   service and seriously damage DOT's capability to support the highway and\n   transit industries. In contrast, the recovery site for the departmental accounting\n   system, which is used to manage $10 billion of annual contract payment, is\n   about 800 miles away from the primary processing site. DOT needs to provide\n   guidance on minimum acceptable geographic distance between the primary\n   and recovery sites.\n\nRECOMMENDATIONS\n1. We recommend that DOT Chief Information Officer implement the following\n   actions to improve oversight of IT investments:\n\n   a) Develop specific criteria for selecting IT investment projects that should be\n      reviewed by the departmental Investment Review Board, and direct the\n      Operating Administrations to report the status of these investment projects\n      to the DOT CIO Office.\n\n   b) Verify the reliability and reasonableness of IT budget requests before\n      submission to OMB.\n\n   c) Ensure appropriate Operating Administrations are invited to attend the\n      departmental Board review meetings, and ensure that DOT CIO Office staff\n      attends the Operating Administrations' review meetings when appropriate.\n\n2. We recommend that DOT Chief Information Officer incorporate corrective\n   action plans and target completion dates for the following items in the FY 2003\n   Federal Managers' Financial Integrity Act report:\n\x0c                                                                                15\n\n\n   a) Commit resources to fix the following repeated security weaknesses that we\n      had included in previous security evaluation reports:\n\n      i. Require the Operating Administrations to provide support for security\n         cost estimates.\n\n      ii. Work with the DOT Senior Procurement Executive and the Director of\n          Office of Security and Administrative Management to ensure adequate\n          background checks are performed on personnel performing sensitive\n          computer work.\n\n   b) Issue guidance to ensure complete reporting of major security incidents to\n      the Federal Computer Incident Response Center.\n\n   c) Improve the authorization process and perform quarterly compliance\n      reviews of connections to DOT's internal networks; and install additional\n      monitoring devices to detect unsecured telephone line (dial-up modem)\n      connections. In addition, direct the Operating Administrations to perform\n      vulnerability assessments of their computers to ensure timely installation of\n      software patches.\n\n   d) Direct the Operating Administrations to develop and implement plans to\n      meet DOT's new goal of having 90 percent of all systems certified for\n      adequate security by July 2004; perform quality assurance checks of system\n      certification reviews to ensure adequate testing of security controls and\n      proper accreditation by designated officials; and require the Operating\n      Administrations to track security expenditures.\n\n   e) Require FAA to develop and implement a timetable to conduct security\n      certification reviews of air traffic control systems at operational sites.\n\n   f) Direct the Operating Administrations to develop and implement plans to\n      perform business impact analysis, develop contingency plans, and conduct\n      testing to ensure business continuity in case computer system operations are\n      disrupted. In addition, issue guidance on the minimum acceptable\n      geographic distance between the primary and recovery processing sites.\n\n\nMANAGEMENT COMMENTS\nA draft of this report was provided to the DOT Chief Information Officer and the\nFAA Chief Information Officer on September 23, 2003. They agreed with the\nreport's findings and recommendations. The DOT Chief Information Officer\nagreed to provide specific action plans and estimated completion dates in DOT's\nFMFIA submissions to OMB.\n\x0c                                                                                 16\n\n\nACTION REQUIRED\nIn accordance with DOT Order 8000.1C, within 30 days, please provide the\nspecific actions taken or planned, including specific target dates for completion on\nthe recommendations. In addition, we would appreciate receiving DOT's FMFIA\ncorrective action plan upon its submission to OMB.\n\nWe appreciate the courtesies and cooperation of DOT and the Operating\nAdministrations' representatives. If you have questions concerning this report,\nplease call Ted Alves, Assistant Inspector General for Financial Management and\nInformation Technology Audits, at (202) 366-1992, or Rebecca Leng, Deputy\nAssistant Inspector General for Information Technology and Computer Security\nAudits, at (202) 366-1496.\n\n                                         #\n\x0cEXHIBIT A. OIG INPUT TO FISMA REPORT\n\nFor the last 2 years, DOT reported its information security program as a material internal control weakness under the\nFederal Managers' Financial Integrity Act (FMFIA). This year, DOT made significant progress meeting its\ncommitment to improve information security. The most noteworthy improvement DOT has made since we began the\nannual information security review in FY 2001 is in protecting its computer systems from attack by outsiders. For\nexample, DOT enhanced its defense against intrusions from the Internet in FY 2002, and further reduced its\nvulnerability to attack this year by establishing a Departmentwide security incident response center. This center, in\nconjunction with FAA\xe2\x80\x99s incident response center, detects, analyzes, and prevents hundreds of potential intrusions\nfrom the Internet on a daily basis. Also, this year, DOT appointed a Chief Information Officer (CIO), increased the\nCIO's resources and influence, and developed a more reliable inventory of systems, all of which further strengthened\nDOT\xe2\x80\x99s information security protection.\nHowever, DOT still has a long way to go in securing its computer systems from attack by insiders: employees,\ncontractors, grantees, and industry associations. According to the Federal Bureau of Investigation, insiders remain a\nmajor threat\xe2\x80\x94about 50 percent of unauthorized activities against all computers were done by insiders during 2003.\nDOT is not exempted from such a threat. We also found that DOT needs to enhance its contingency planning to\nensure business continuity in case key computer system operations are disrupted for a prolonged period of time.\nIn view of the security weaknesses that still need to be corrected, DOT's information security program remains a\nmaterial weakness and requires continued senior management attention. In FY 2004, it will be critical for the\ndepartmental CIO, with support from the Operating Administrators and their respective CIOs, to continue exercising\nleadership and providing the direction and oversight to ensure that the Operating Administrations develop adequate\nplans to correct the remaining weaknesses and execute those plans effectively. DOT's progress correcting the\nremaining weaknesses will help clarify whether the CIO has adequate authority, resources, and processes to ensure\neffective IT security and investment management controls.\n\n\n\n\n                                                                                                                   17\n\x0cA.1. Identify the agency\xe2\x80\x99s total IT security spending and each individual major operating division or bureau\xe2\x80\x99s IT security spending\nas found in the agency\xe2\x80\x99s FY03 budget enacted. This should include critical infrastructure protection costs that apply to the\nprotection of government operations and assets. Do not include funding for critical infrastructure protection pertaining to lead\nagency responsibilities such as outreach to industry and the public.\n                                                                                                    FY03 IT Security Spending\nBureau Name                                                                                           ($ in thousands)\n                    __                                                                                     __\nAgency Total                                                                                             __\n\nOIG was not required to respond to this question.\n\n\n\n\n                                                                                                                                      18\n\x0cA.2a. Identify the total number of programs and systems in the agency, the total number of systems and programs reviewed by the program officials and CIOs in FY03, the total\nnumber of contractor operations or facilities, and the number of contractor operations or facilities reviewed in FY03. Additionally, IGs shall also identify the total number of\nprograms, systems, and contractor operations or facilities that they evaluated in FY03.\n\n                                                                                                FY03 Programs          FY03 Systems           FY03 Contractor Operations or Facilities\n                                                                                              Total  Number   Total           Number   Total\nBureau Name                                                                                   Number Reviewed Number          Reviewed Number           Number Reviewed\nBTS                                                                                              1          1          7           7             1                       1\nFAA                                                                                              1          1         421         157           9                       9\nFHWA                                                                                             1          1         25          25            7                       7\nFMCSA                                                                                            1          1         19          19            6                       4\nFRA                                                                                              1          1         22          22            6                       6\nFTA                                                                                              1          1          7           7             2                       1\nMARAD                                                                                            1          1         12          12            0                       0\nNHTSA                                                                                            1          1         42          42            2                       2\nOST                                                                                              1          1         46          46            3                       3\nRSPA                                                                                             1          1         25          25            0                       0\nSLSDC                                                                                            1          1          1           1             0                       0\nSTB                                                                                              1          1          3           3             0                       0\nAgency Total                                                                                     12         12        630         366           36                      33\nNumber reviewed by Office of Inspector General                                                  __          12         __          27           __                       2\nb. For operations and assets under their control, have agency program officials and the\nagency CIO used appropriate methods (e.g., audits or inspections) to ensure that contractor\nprovided services or services provided by another agency for their program and systems are            Yes               X                No                         __\nadequately secure and meet the requirements of FISMA, OMB policy and NIST guidelines,\nnational security policy, and agency policy?\n\n                                                                                              This year DOT began evaluating contractor operated web sites. DOT used the NIST Self-\n                                                                                              Assessment guidance 800-26. Several systems located at contractor facilities have been\nc. If yes, what methods are used? If no, please explain why.\n                                                                                              certified and accredited. Others are currently going through certification or self-assessment\n                                                                                              reviews.\nd. Did the agency use the NIST self-assessment guide to conduct its reviews?                          Yes               X                No                        __\ne. If the agency did not use the NIST self-assessment guide and instead used an agency\ndeveloped methodology, please confirm that all elements of the NIST guide were addressed              Yes             __                 No                        __\nin the agency methodology.\n                                                                                            During FY 2003, DOT revised its system inventory. The revised system inventory showed\n                                                                                            a reduction in the number of total computer systems (from about 1,200 to 630) and\n                                                                                            mission-critical systems (from 500 to 220) as a result of transferring two Operating\n\n\n\n\n                                                                                                                                                                                              19\nf. Provide a brief update on the agency's work to develop an inventory of major IT systems.\n                                                                                            Administrations to the Department of Homeland Security and consolidating systems\n                                                                                            inventory accounting. FAA accounted for two-thirds of the reduction. We consider the\n                                                                                            revised system inventory reasonable.\n\x0cA.3. Identify all material weakness in policies, procedures, or practices as identified and required to be reported under existing law in FY03. Identify the number of\nmaterial weaknesses repeated from FY02, describe each material weakness, and indicate whether POA&Ms have been developed for all of the material weaknesses.\n\n                                                                                                    FY03 Material Weaknesses\n                                                                   Total Number                                                                                       POA&Ms\n                                                         Total     Repeated from                                                                                     developed?\nBureau Name                                             Number         FY02                       Identify and Describe Each Material Weakness                          Y/N\n\n\n                                                                                   For the last two years, DOT reported its information security program as a\n                                                                                   material internal control weakness under the Federal Managers' Financial\n                                                                                   Integrity Act (FMFIA). Since we began the annual computer security review\n                                                                                   of DOT's information security program in FY 2001, DOT has made significant\n                                                                                   progress protecting its systems from attack by outsiders. However, DOT still\n                                                                                   has a long way to go in securing its computer systems from attack by\n                                                                                   insiders. A critical and effective security measure to reduce this threat is to\n                                                                                   perform system certification reviews. However, only 33 percent of DOT\n                                                                                   systems will have undergone such reviews as of September 30, 2003. We\nDepartment of Transportation (Agency Total)                1             1         also found that DOT needs to enhance its system contingency planning\n                                                                                                                                                                       Yes\n                                                                                   efforts.\n\n                                                                                   In view of the extensive remaining security weaknesses, DOT's information\n                                                                                   security program remains a material weakness and requires continued senior\n                                                                                   management attention. We have included recommendations in our annual\n                                                                                   information security independent evaluation report number (FI-2003-086),\n                                                                                   dated September 25, 2003 to help the Department correct the material weakne\n\n\n\n\n                                                                                                                                                                                  20\n\x0cA.4. This question is for IGs only. Please assess whether the agency has\ndeveloped, implemented, and is managing an agency-wide plan of action and\nmilestone process that meets the criteria below. Where appropriate, please\ninclude additional explanation in the column next to each criteria.                     Yes           No\nAgency program officials develop, implement, and manage POA&Ms for every system\nthat they own and operate (systems that support their programs) that has an IT                X (1)        __\nsecurity weakness.\nAgency program officials report to the CIO on a regular basis (at least quarterly) on\n                                                                                               X           __\ntheir remediation progress.\nAgency CIO develops, implements, and manages POA&Ms for every system that they\nown and operate (systems that support their programs) that has an IT security                  X           __\nweakness.\nThe agency CIO centrally tracks and maintains all POA&M activities on at least a\n                                                                                               X           __\nquarterly basis.\nThe POA&M is the authoritative agency and IG management tool to identify and\n                                                                                               X           __\nmonitor agency actions for correcting information and IT security weaknesses.\nSystem-level POA&Ms are tied directly to the system budget request through the IT\nbusiness case as required in OMB budget guidance (Circular A-11) to tie the                   X (2)        __\njustification for IT security funds to the budget process.\nAgency IGs are an integral part of the POA&M process and have access to agency\n                                                                                               X           __\nPOA&Ms.\n\nThe agency's POA&M process represents a prioritization of agency IT security\n                                                                                              X(3)         __\nweaknesses that ensures that significant IT security weaknesses are addressed in a\ntimely manner and receive, where necessary, appropriate resources.\n\n\n(1) In July 2003, we brought it to management's attention that not all systems with\nknown security weaknesses had a POA&M. DOT took immediate corrective actions\nand agreed to have POA&Ms developed for all systems with an IT security weakness\nby September 30, 2003.\n\n\n\n(2) System level POA&Ms are linked directly to the budget submission. However, as\nwe reported this year, system owners can not support system security budget cost\nestimates and do not track spending to ensure that resources are spent as requested.\n\n\n\n(3) DOT has implemented a process to prioritize security weaknesses, however, at this\ntime, it is unknown whether the process has been effectively implemented.\n\n\n\n\n                                                                                                                21\n\x0c                                                  During FY 2003, The Secretary made progress by appointing a Departmentwide CIO and obtaining significant\n                                                  budget increases for the Office of the CIO. The Secretary also increased the CIO\xe2\x80\x99s influence over IT decisions by\n                                                  forming a departmental Investment Review Board (the Board). The CIO is a key member on the Board.\nB.1. Identify and describe any specific steps\ntaken by the agency head to clearly and           Creation of the Board and enhancement of the CIO's influence should improve DOT's oversight of IT investments\nunambiguously set forth FISMA's                   and security; however, it is too early to judge their effectiveness. Historically, the Operating Administrations have\nresponsibilities and authorities for the agency   functioned independently on IT matters with little departmental direction. Also, the Review Board did not start\nCIO and program officials. Specifically how       reviewing IT investments until June this year. During FY 2004, at the request of the Senate Appropriations\nare such steps implemented and enforced?          Committee, we plan to evaluate the effectiveness of the CIO\xe2\x80\x99s efforts to coordinate with the Operating\n                                                  Administrations in improving IT security and investment controls.\n\n\n\n\nB.2. Can a major operating component of the       Yes. DOT policy requires Operating Administrations develop business case (Exhibit 300) for major IT investments\nagency make an IT investment decision             that are reviewed by the CIO for concurrence. Non-major IT investments (with a lifecycle cost of less than $150\nwithout review by and concurrence of the          million) are not subject to the same review process for concurrence. The Operating Administrations can and do\n                                                  make non-major IT investment decisions without CIO review and concurrence.\nagency CIO?\n\n                                               The Secretary has delegated the responsibility for developing and maintaining DOT's information security program\n                                               to the CIO. The CIO Office has issued multiple implementation guidelines, including methodology to certify system\n                                               security throughout the life cycles of individual systems. During FY 2003, the number of DOT systems certified as\nB.3. How does the head of the agency ensure adequately secured will increase from 12 percent to 33 percent for all systems, and from 21 percent to 68 percent\nthat the agency\xe2\x80\x99s information security plan is for mission-critical systems. Nonetheless, DOT is trailing behind the Administration's goal of having 80 percent of\npracticed throughout the life cycle of each    systems certified for adequate security by September 2003. To emphasize the importance of this task, DOT\nagency system?                                 recently established a new goal to have 90 percent of all systems certified for adequate security by July 2004.\n                                               However, Operating Administrations plans need to be adjusted to support this new goal. The CIO office is working\n                                               with the Operating Administrations to develop work plans to meet this new goal.\n\n\n\n\nB.4. During the reporting period, did the         The Secretary delegated the responsibility of overseeing program officials' performance of practicing information\n                                                  security to the CIO. Both the CIO and program officials' performance are subject to our independent evaluation.\nagency head take any specific and direct\n                                                  According to the CIO Office, they conducted compliance reviews on the Operating Administrations\xe2\x80\x99 progress in\nactions to oversee the performance of 1)\n                                                  developing security plans and certifying systems for meeting requirements. However, we could not verify the\nagency program officials and 2) the CIO to\n                                                  effectiveness of the CIO's compliance reviews because there was no documentation of the discussions or actions\nverify that such officials are ensuring that\n                                                  taken resulting from the reviews. In addition, DOT needs to improve the quality of security testing. We found that\nsecurity plans are up-to-date and practiced\n                                                  5 out of 8 systems we reviewed this year did not have any documentation supporting the result of security testing.\nthroughout the lifecycle of each system?\n                                                  We recommended corrective actions in our independent evaluation report.\nPlease describe.\n\n\n\n\n                                                                                                                                                                          22\n\x0c                                               The creation of the Department of Homeland Security (DHS) has resulted in a major impact on DOT critical\n                                               infrastructure security responsibilities. Since DHS is now the lead agency, DOT no longer has primary\n                                               responsibilities for securing the critical infrastructure in the transportation sector. However, DOT is still responsible\nB.5. Has the agency integrated its information\n                                               for securing about 100 air traffic control systems critical to the nation's infrastructure. For other security\nand information technology security program\n                                               responsibilities, DOT has integrated its information security program with the continuity of operations program, but\nwith its critical infrastructure protection\n                                               not the physical security program. During FY 2003, the CIO Office, in conjunction with DOT emergency staff,\nresponsibilities, and other security programs\n                                               established emergency communications capabilities to allow senior managers to communicate, if DOT\n(e.g., continuity of operations, and physical\n                                               Headquarters became nonfunctional. The CIO Office is also monitoring the Operating Administrations\xe2\x80\x99\nand operational security)? Please describe.\n                                               development of contingency plans for computer systems. However, as we reported this year, only 26 percent of\n                                               DOT systems have contingency plans and some of these contingency plans were inadequate or had not been\n                                               tested.\n\n\n\n\n                                                   DOT has a separate office responsible for the physical security program, which reports to the Assistant Secretary\nB.6. Does the agency have separate staffs          for Administration. Both the Assistant Secretary and the CIO report to the Secretary. These two offices work\n                                                   together on joint projects, such as exploring use of the smart card technology to enhance access security (the\ndevoted to other security programs, are such\n                                                   Common Access Architecture Project). They also work together on developing the infrastructure in DOT\xe2\x80\x99s new\nprograms under the authority of different\n                                                   Headquarters building.\nagency officials, if so what specific efforts\nhave been taken by the agency head or other\n                                                   FAA also has divided these security responsibilities. The FAA CIO is responsible for leading system security\nofficials to eliminate unnecessary duplication\n                                                   certifications, and the Associate Administrator for Civil Aviation Security is responsible for leading physical security\nof overhead costs and ensure that policies and\n                                                   certifications. Both report to the FAA Administrator. The timetables for system and physical security certification\nprocedures are consistent and complimentary        reviews are not coordinated. While completion of system certification reviews has been accelerated to FY 2004,\nacross the various programs and disciplines?       physical security certifications are still scheduled to be completed in FY 2009.\n\n\n\n\n                                                                                                                                                                              23\n\x0cB.7. Identification of agency's critical operations and assets (both national critical operations and assets and mission critical) and the interdependencies and interrelationships of\nthose operations and assets.\n\na. Has the agency fully identified its national critical operations and assets?                                   Yes                   X         No                           __\nb. Has the agency fully identified the interdependencies and interrelationships of those nationally critical\noperations and assets?\n                                                                                                                  Yes                   X         No                           __\nc. Has the agency fully identified its mission critical operations and assets?                                    Yes                   X         No                           __\nd. Has the agency fully identified the interdependencies and interrelationships of those mission critical\noperations and assets?\n                                                                                                                  Yes                   X         No                           __\n\n\n                                                                                                                  Last year, DOT planned to use the Project Matrix methodology to\n                                                                                                                  identify interrelationships of mission-critical systems. DOT later\n                                                                                                                  concluded that it is not cost-beneficial to pursue the use of Project\n                                                                                                                  Matrix. Instead, DOT issued guidance for establishing and maintaining\n                                                                                                                  an inventory of general support systems and major applications. Using\n                                                                                                                  this guide, the Operating Administrations are required to record all their\n                                                                                                                  systems as either mission critical or non-mission critical, and to\n                                                                                                                  document any system information sharing, interfaces,\ne. If yes, describe the steps the agency has taken as a result of the review.                                     interdependencies and interrelationships. DOT identified 222 mission\n                                                                                                                  critical systems and about 400 non-mission critical systems.\n\n                                                                                                                  DOT has identified about 100 mission critical air traffic control systems\n                                                                                                                  as essential to the nation's defense, economic security, or public\n                                                                                                                  confidence. These systems have national significance and need to be\n                                                                                                                  secured on a priority basis. DOT used the same inventory\n                                                                                                                  methodology in identifying interdependencies and interrelationships of\n                                                                                                                  these national critical systems.\n\n\n\n\nf. If no, please explain why.                                                                                                               __\n\n\n\n\n                                                                                                                                                                                       24\n\x0cB.8. How does the agency head ensure that the agency, including all components, has documented procedures for reporting security incidents and sharing information\nregarding common vulnerabilities?\n\n                                                                             During FY 2003, DOT established the Transportation Cyber Incident Response Center (TCIRC)\n                                                                             to work with FAA's Computer Security Incident Response Center (CSIRC), and to coordinate\n                                                                             Departmentwide reporting of cyber incidents to the central authority (FedCIRC). Reporting to law\na. Identify and describe the procedures for external reporting to law\n                                                                             enforcement authorities is coordinated with the Office of Inspector General. However, DOT\nenforcement authorities and to the Federal Computer Incident Response\n                                                                             external reporting procedure is not consistent with FedCIRC guidance. The Operating\nCenter (FedCIRC).                                                            Administrations reported a total of 69 incidents during FY 2003, of which 39 were major\n                                                                             incidents. As we reported this year, DOT only reported 17 of 39 major incidents associated with\n                                                                             viruses, denial-of-services attacks, or web defacements to FedCIRC.\n\nb. Total number of agency components or bureaus.                             12\nc. Number of agency components with incident handling and response\n                                                                             12\ncapability.\n\nd. Number of agency components that report to FedCIRC.                       2 (DOT's TCIRC and FAA's CSIRC)\n\ne. Does the agency and its major components share incident information\n                                                                             DOT reported 15 incidents to FedCIRC within 1 to 10 days depending on the criticality of the\nwith FedCIRC in a timely manner consistent with FedCIRC and OMB\n                                                                             incident. But 2 incidents were reported to FedCIRC more than 40 days after the occurrences.\nguidance?\nf. What is the required average time to report to the agency and FedCIRC     DOT requires the Operating Administrations report serious incidents to TCIRC within 24 hours.\nfollowing an incident?                                                       DOT has agreed to establish a time requirement for reporting to FedCIRC.\n                                                                        DOT oversees timely patch installation on DOT public-facing web servers through its weekly\n                                                                        scanning which identifies the vulnerabilities that need to be patched. However, as we reported\ng. How does the agency, including the programs within major components,\n                                                                        this year, the automatic scanning was not consistently performed on DOT's private networks. We\nconfirm that patches have been tested and installed in a timely manner? found several incidents where DOT computers were vulnerable to attack because management\n                                                                        did not install software patches timely.\nh. Is the agency a member of the Patch Authentication and Distribution\nCapability operated by FedCIRC?\n                                                                             Yes                  X      No                         _ _\n\n                                                                             DOT was given 75 account seats by FedCIRC for using this service. Currently, DOT has created\ni. If yes, how many active users does the agency have for this service?      49 user accounts, but only 3 Operating Administrations (4 users) are actively using this service.\n                                                                             Other Operating Administrations obtain software patches from manufactures directly.\n\nj. Has the agency developed and complied with specific configuration\nrequirements that meet their own needs?\n                                                                             Yes            _ _          No                                      X\nk. Do these configuration requirements address patching of security\nvulnerabilities?\n                                                                             Yes            __           No                                      X\n\n\n\n\n                                                                                                                                                                                 25\n\x0cB.9. Identify by bureau, the number of incidents (e.g., successful and unsuccessful network penetrations, root or user\naccount compromises, denial of service attacks, website defacing attacks, malicious code and virus, probes and\nscans, password access)\n                            Number of incidents      Number of incidents reported      Number of incidents reported\nBureau Name                     reported                 externally to FedCIRC         externally to law enforcement\nBTS                                2                             1                                  0\nFAA                                3                             1                                  0\nFHWA                              28                             1                                  0\nFMCSA                              1                             0                                  0\nFRA                                4                             1                                  0\nFTA                                0                             0                                  0\nMARAD                              2                             0                                  0\nNHTSA                              2                             1                                  0\nOST                               26                             12                                 1\nRSPA                               1                             0                                  0\nSLSDC                              0                             0                                  0\nSTB                                0                             0                                  0\n        Total                     69                             17                                 1\n\n\n\n\n                                                                                                                         26\n\x0cC.1. Have agency program officials and the agency CIO: 1) assessed the risk to operations and assets under their control; 2) determined the level of\nsecurity appropriate to protect such operations and assets; 3) maintained an up-to-date security plan (that is practiced throughout the life cycle) for\neach system supporting the operations and assets under their control; and 4) tested and evaluated security controls and techniques? By each major\nagency component and aggregated into an agency total, identify actual performance in FY03 according to the measures and in the format provided\nbelow for the number and percentage of total systems.\n\n\n\n\n                                                                                                              g. Number of\n                                                                                        f. Number of          systems for                          i. Number of\n                              c. Number of        d. Number of                          systems with          which security                       systems for\n                              systems             systems that       e. Number of       security control      controls have                        which\n                              assessed for risk   have an up-to-     systems            costs integrated      been tested and     h. Number of     contingency\n               b. Total       and assigned a      date IT            certified and      into the life cycle   evaluated in the    systems with a plans have been\n               Number         level or risk       security plan      accredited*        of the system         last year           contingency plan tested\n               of              No. of    % of\na. Bureau Name Systems        Systems   Systems    No.       %        No.       %         No.       %           No.       %        No.       %       No.       %\n\nBTS                       7         7     100%           3    43%           3    43%            7    100%             7   100%           2    29%          1       14%\nFAA                     421       180      43%      126       30%       70       17%       206        49%        164       39%       70       17%      70          17%\nFHWA                     25        14      56%       14       56%       14       56%        25       100%         14       56%           7    28%          7       28%\nFMCSA                    19        19     100%           6    32%           6    32%        19       100%             6    32%           6    32%          0       0%\nFRA                      22        22     100%           6    27%           6    27%        22       100%             6    27%           0     0%          0       0%\nFTA                       7         7     100%           7   100%           7   100%         7       100%             7   100%           3    43%          0       0%\nMARAD                    12        12     100%           7    58%           7    58%        12       100%             7    58%           5    42%          0       0%\nNHTSA                    42        42     100%       42      100%       42      100%        42       100%         42      100%       42      100%      17          40%\nOST                      46        46     100%       46      100%       46      100%        46       100%         46      100%           8    17%          8       17%\nRSPA                     25        25     100%       25      100%           4    16%        25       100%         25      100%       20       80%          0       0%\nSLSDC                     1         1     100%           1   100%           1   100%            1    100%             1   100%           1   100%          0       0%\nSTB                       3         3     100%           3   100%           3   100%            3    100%             3   100%           3   100%          0       0%\n\nAgency Total            630       378    60.0%      286      45.4%     209      33.2%      415      65.9%        328      52.1%     167      26.5%    103      16.3%\n\n\n                 Based on our sample test, we did not identify any major discrepancies that would cause us to question the reliability\n                 of the performance measures reported by the CIO Office.\n\n\n\n\n                                                                                                                                                                         27\n\x0cC.2. Identify whether the agency CIO has adequately maintained an agency-wide IT security program and ensured the effective implementation of the program and evaluated\nthe performance of major agency components.\n\n                                                                                                                              Has the agency CIO         Do agency POA&Ms\nHas the agency CIO                                                                                                            appointed a senior         account for all known\nmaintained an agency-   Did the CIO evaluate the                                                                              agency information         agency security\nwide IT security        performance of all agency How does the agency CIO ensure that bureaus comply with the agency-wide     security officer per the   weaknesses including all\nprogram? Y/N            bureaus/components? Y/N IT security program?                                                          requirements in FISMA?     components?\n\n                                                                                                                                YES. In FY 2002, DOT\n                                                                                                                                created an SES\n                                                                                                                                position\xe2\x80\x94Associate CIO\n                                                                                                                                for Information Security.\n                                                  The CIO Office collects system security certification review information and  During FY 2003, the\n                                                  POA&M data from the Operating Administrations on a quarterly basis. As we position was renamed as\n                                                  reported this year, the CIO Office needs to perform quality assurance reviews the Associate CIO for IT\n                                                  of data collected from the Operating Administrations. We found incidents that Programs with added\nYES                     YES                                                                                                                               YES\n                                                  systems were certified as adequately secured without adequate security        responsilities of capital\n                                                  testing or evaluation. The lack of adequate testing may explain why we found planning and investment\n                                                  significant control deficiencies in systems that had undergone security       controls and enterprise\n                                                  certification reviews.                                                        architecture. The\n                                                                                                                                Associate CIO spent 60\n                                                                                                                                percent of her time on\n                                                                                                                                security this year.\n\n\n\n\n                                                                                                                                                                              28\n\x0cC.3. Has the agency CIO ensured security training and awareness of all agency employees, including contractors and those employees with significant IT\nsecurity responsibilities?\n\n                                                            Agency employees with\nTotal                                 Total number of       significant security\nnumber of   Agency employees that     agency employees      responsibilities that\nagency      received IT security      with significant IT   received specialized                                                                 Total costs for\nemployees   training in FY03          security              training                                                                             providing training in\nin FY03     Number       Percentage   responsibilities      Number         Percentage Briefly describe training provided                         FY03\n\n\n\n\n                                                                                       DOT has done a commendable job in providing general\n                                                                                       security awareness training to more than 60,000 employees.\n                                                                                       FY 2003 is the second year that DOT provided\n                                                                                       Departmentwide security awareness training, including\n                                                                                       sessions directed to senior management, program officials,\n                                                                                       and system users. DOT also provided specialized training\n                                                                                       sessions such as network security to more than 600\n                                                                                       individuals assigned with information security\n  62,565      62,565      100.0%              681               678         99.6%      responsibilities.                                          $       413,374.00\n\n\n\n\n                                                                                                                                                                         29\n\x0cC.4. Has the agency CIO fully integrated security into the agency\xe2\x80\x99s capital planning and investment control process? Were IT\nsecurity requirements and costs reported on every FY05 business case (as well as in the exhibit 53) submitted by the agency to\nOMB?\n\n                                    Did the agency program official        Did the agency CIO plan and\n             Number of business     plan and budget for IT security and    budget for IT security and             Are IT security costs reported\nBureau       cases submitted to     integrate security into all of their   integrate security into all of their   in the agency's exhibit 53 for\nName         OMB in FY05            business cases? Y/N                    business cases? Y/N                    each IT investment? Y/N\nBTS                    3                            Yes                                    Yes                                 Yes\nFAA                    24                           Yes                                    Yes                                 Yes\nFHWA                   6                            Yes                                    Yes                                 Yes\nFMCSA                  3                            Yes                                    Yes                                 Yes\nFRA                    2                            Yes                                    Yes                                 Yes\nFTA                    3                            Yes                                    Yes                                 Yes\nNHTSA                  7                            Yes                                    Yes                                 Yes\nOST                    10                           Yes                                    Yes                                 Yes\nRSPA                   2                            Yes                                    Yes                                 Yes\n\n\n\n\n                                                                                                                                                   30\n\x0c                                                                              31\n\n\n\n\nEXHIBIT B. SCOPE AND METHODOLOGY\n\nDuring Fiscal Year 2003, we fulfilled the requirements under FISMA by\nreviewing DOT major financial systems, FAA air traffic control systems, and the\nnewly established capital planning and investment control process for managing\nIT projects. In addition, we reviewed DOT's FISMA submission and performed\nsample reviews to ensure the reasonableness of key performance measures\nreported. We also provided input to DOT's FISMA report by answering questions\nspecified by OMB.\n\nWe used the audit methodologies recommended by the General Accounting Office\nand the President's Council on Integrity and Efficiency, and guidelines issued by\nother Government authorities such as the National Institute of Standards and\nTechnology. We used commercial scanning software to assess DOT's network\nand web vulnerabilities.\n\nWe performed our work throughout FY 2003 and focused on reviewing FISMA\nreporting between May 2003 and September 2003 at DOT and its Operating\nAdministrations' Headquarters located in Washington, D.C. The audit was\nconducted in accordance with Government Auditing Standards prescribed by the\nComptroller General of the United States.\n\nWe previously issued two audit reports on DOT's information security program in\nresponse to the legislative mandate of the Government Information Security\nReform Act--DOT Information Security Program, Report Number FI-2002-115,\nSeptember 27, 2002; and DOT Information Security Program, Report Number FI-\n2001-090, September 7, 2001.\n\x0c                                                 32\n\n\n\n\nEXHIBIT C. DOT COMPONENTS\n\n\nBureau of Transportation Statistics\nFederal Aviation Administration\nFederal Highway Administration\nFederal Motor Carrier Safety Administration\nFederal Railroad Administration\nFederal Transit Administration\nMaritime Administration\nNational Highway Traffic Safety Administration\nOffice of the Secretary\nResearch and Special Programs Administration\nSurface Transportation Board\nSaint Lawrence Seaway Development Corporation\n\x0c                                                                   33\n\n\n\n\nEXHIBIT D. MAJOR CONTRIBUTORS TO THIS REPORT\n\nTHE FOLLOWING INDIVIDUALS CONTRIBUTED TO THIS REPORT.\n\n\n\n  Name                        Title\n\n  Rebecca Leng                Deputy Assistant Inspector General for\n                              Information Technology and Computer\n                              Security\n\n  Nathan Custer               Project Manager\n\n  Philip deGonzague           Project Manager\n\n  Michael Marshlick           Senior Computer Scientist\n\n  Ping Sun                    Senior Computer Scientist\n\n  James Mallow                Senior Auditor\n\n  Henry Lee                   Computer Scientist\n\n  Gary Klauber                Computer Scientist\n\n  Cynthia Tims                Information Technology Specialist\n\n  Mitchell Balakit            Information Technology Specialist\n\n  Bradley Kistler             Information Technology Specialist\n\n  Jean Yoo                    Information Technology Specialist\n\x0c"